- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 9 Sep 2015 13:33:31 +0200
- To: Mike West <mkwst@google.com>
- Cc: Thomas Sepez <tsepez@google.com>, Tanvi Vyas <tanvi@mozilla.com>, Kepeng Li <kepeng.lkp@alibaba-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Sep 9, 2015 at 12:35 PM, Mike West <mkwst@google.com> wrote: > As I recall, we've tried to do this a few times in Chrome. We've had both > compatibility issues as well as security issues. Naively suppressing the > dialog makes it possible to brute-force username/password combinations (as > the user's never notified, and failures are distinguishable from successes > via any number of side-channels (nativeWidth, etc)). Well, that's only the case if you supply a username and password through the URL. The example I referenced is a URL without those that results in challenge due to the 401. Making a distinction between the two might be worthwhile. Though I'd imagine that if we have some CSP directive it'd block both. > +Tom, who knows more about the details than I do. -- https://annevankesteren.nl/
Received on Wednesday, 9 September 2015 11:33:57 UTC